Commit Graph

14 Commits

Author SHA1 Message Date
Oliver Neukum d5d1ceac2a USB: open disconnect race in usblcd
this driver has a possible use after free due to a race when disconnect
and open handle intfdata without a lock.

Signed-off-by: Oliver Neukum <oneukum@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2007-10-25 12:18:46 -07:00
Greg Kroah-Hartman 0723af13bf USB: misc: usblcd: clean up urb->status usage
This done in anticipation of removal of urb->status, which will make
that patch easier to review and apply in the future.

Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2007-07-19 17:46:08 -07:00
Oliver Neukum 7bbe990c98 USB: autosuspend for usblcd
this patch implements autosuspend for the usblcd driver. It uses
the new usb_anchor infrastructure. Many thanks to Georges for testing.

Signed-off-by: Oliver Neukum <oneukum@suse.de>
Cc: Georges Toth <g.toth@e-biz.lu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2007-07-12 16:34:38 -07:00
Alan Stern d4ead16f50 USB: prevent char device open/deregister race
This patch (as908) adds central protection in usbcore for the
prototypical race between opening and unregistering a char device.
The spinlock used to protect the minor-numbers array is replaced with
an rwsem, which can remain locked across a call to a driver's open()
method.  This guarantees that open() and deregister() will be mutually
exclusive.

The private locks currently used in several individual drivers for
this purpose are no longer necessary, and the patch removes them.  The
following USB drivers are affected: usblcd, idmouse, auerswald,
legousbtower, sisusbvga/sisusb, ldusb, adutux, iowarrior, and
usb-skeleton.

As a side effect of this change, usb_deregister_dev() must not be
called while holding a lock that is acquired by open().  Unfortunately
a number of drivers do this, but luckily the solution is simple: call
usb_deregister_dev() before acquiring the lock.

In addition to these changes (and their consequent code
simplifications), the patch fixes a use-after-free bug in adutux and a
race between open() and release() in iowarrior.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2007-07-12 16:29:48 -07:00
Oliver Neukum 5afeb104e7 USB: usblcd doesn't limit memory consumption during write
usblcd currently has no way to limit memory consumption by fast writers.
This is a security problem, as it allows users with write access to this
device to drive the system into oom despite resource limits.
Here's the fix taken from the modern skeleton driver.

Signed-off-by: Oliver Neukum <oneukum@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2007-06-25 23:38:06 -07:00
Oliver Neukum 2e85c91e2e USB: kill BKL in usblcd
this patch removes usage of BKL from usblcd, which got it from the old
skeleton driver.

Signed-off-by: Oliver Neukum <oneukum@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2007-04-27 13:28:33 -07:00
David Howells 7d12e780e0 IRQ: Maintain regs pointer globally rather than passing to IRQ handlers
Maintain a per-CPU global "struct pt_regs *" variable which can be used instead
of passing regs around manually through all ~1800 interrupt handlers in the
Linux kernel.

The regs pointer is used in few places, but it potentially costs both stack
space and code to pass it around.  On the FRV arch, removing the regs parameter
from all the genirq function results in a 20% speed up of the IRQ exit path
(ie: from leaving timer_interrupt() to leaving do_IRQ()).

Where appropriate, an arch may override the generic storage facility and do
something different with the variable.  On FRV, for instance, the address is
maintained in GR28 at all times inside the kernel as part of general exception
handling.

Having looked over the code, it appears that the parameter may be handed down
through up to twenty or so layers of functions.  Consider a USB character
device attached to a USB hub, attached to a USB controller that posts its
interrupts through a cascaded auxiliary interrupt controller.  A character
device driver may want to pass regs to the sysrq handler through the input
layer which adds another few layers of parameter passing.

I've build this code with allyesconfig for x86_64 and i386.  I've runtested the
main part of the code on FRV and i386, though I can't test most of the drivers.
I've also done partial conversion for powerpc and MIPS - these at least compile
with minimal configurations.

This will affect all archs.  Mostly the changes should be relatively easy.
Take do_IRQ(), store the regs pointer at the beginning, saving the old one:

	struct pt_regs *old_regs = set_irq_regs(regs);

And put the old one back at the end:

	set_irq_regs(old_regs);

Don't pass regs through to generic_handle_irq() or __do_IRQ().

In timer_interrupt(), this sort of change will be necessary:

	-	update_process_times(user_mode(regs));
	-	profile_tick(CPU_PROFILING, regs);
	+	update_process_times(user_mode(get_irq_regs()));
	+	profile_tick(CPU_PROFILING);

I'd like to move update_process_times()'s use of get_irq_regs() into itself,
except that i386, alone of the archs, uses something other than user_mode().

Some notes on the interrupt handling in the drivers:

 (*) input_dev() is now gone entirely.  The regs pointer is no longer stored in
     the input_dev struct.

 (*) finish_unlinks() in drivers/usb/host/ohci-q.c needs checking.  It does
     something different depending on whether it's been supplied with a regs
     pointer or not.

 (*) Various IRQ handler function pointers have been moved to type
     irq_handler_t.

Signed-Off-By: David Howells <dhowells@redhat.com>
(cherry picked from 1b16e7ac850969f38b375e511e3fa2f474a33867 commit)
2006-10-05 15:10:12 +01:00
Luiz Fernando N. Capitulino b0b660b8d5 USB: usblcd: Use usb_endpoint_* functions.
Signed-off-by: Luiz Fernando N. Capitulino <lcapitulino@mandriva.com.br>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-09-27 11:58:54 -07:00
Luiz Fernando N. Capitulino 066202dd48 USB: Make file operations structs in drivers/usb const.
Making structs const prevents accidental bugs and with the proper debug
options they're protected against corruption.

Signed-off-by: Luiz Fernando N. Capitulino <lcapitulino@mandriva.com.br>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-09-27 11:58:52 -07:00
Eric Sesterhenn 053be305d3 [PATCH] USB: fix pointer dereference in drivers/usb/misc/usblcd
coverity spotted (id #185) that we still use urb, if the allocation
fails in the error path. This patch fixes this by returning directly.

Signed-off-by: Eric Sesterhenn <snakebyte@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-07-12 16:03:23 -07:00
Eric Sesterhenn 80b6ca4832 [PATCH] USB: kzalloc() conversion for rest of drivers/usb
Signed-off-by: Eric Sesterhenn <snakebyte@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-03-20 14:49:59 -08:00
Greg Kroah-Hartman 75318d2d7c [PATCH] USB: remove .owner field from struct usb_driver
It is no longer needed, so let's remove it, saving a bit of memory.

Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-01-04 13:48:34 -08:00
Greg Kroah-Hartman d6e5bcf4a7 [PATCH] devfs: Remove the mode field from usb_class_driver as it's no longer needed
Also fixes all drivers that set this field, and removes some other devfs
specfic USB logic.

Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

 drivers/usb/class/usblp.c           |    3 +--
 drivers/usb/core/file.c             |   19 ++++---------------
 drivers/usb/image/mdc800.c          |    3 +--
 drivers/usb/input/aiptek.c          |    2 +-
 drivers/usb/input/hiddev.c          |    3 +--
 drivers/usb/media/dabusb.c          |    3 +--
 drivers/usb/misc/auerswald.c        |    3 +--
 drivers/usb/misc/idmouse.c          |    5 ++---
 drivers/usb/misc/legousbtower.c     |    5 ++---
 drivers/usb/misc/rio500.c           |    3 +--
 drivers/usb/misc/sisusbvga/sisusb.c |    5 -----
 drivers/usb/misc/usblcd.c           |    9 ++++-----
 drivers/usb/usb-skeleton.c          |    3 +--
 include/linux/usb.h                 |    7 ++-----
 14 files changed, 22 insertions(+), 51 deletions(-)
2005-10-28 16:47:37 -07:00
Linus Torvalds 1da177e4c3 Linux-2.6.12-rc2
Initial git repository build. I'm not bothering with the full history,
even though we have it. We can create a separate "historical" git
archive of that later if we want to, and in the meantime it's about
3.2GB when imported into git - space that would just make the early
git days unnecessarily complicated, when we don't have a lot of good
infrastructure for it.

Let it rip!
2005-04-16 15:20:36 -07:00